conntrack tuple

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* conntrack tuple
@ 2012-09-14 14:57 Miguel Alejandro González
  2012-09-15 21:14 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Miguel Alejandro González @ 2012-09-14 14:57 UTC (permalink / raw)
  To: netfilter-devel

Hello

I have some questions about how conntrack tuple handles ICMP error messages...

When a ICMP error packet arrives containing an embedded UDP or TCP
packet, assuming there was already a UDP or TCP connection being
tracked by conntrack, what are the IP addresses of the tuple, the ones
from the ICMP error message or the ones from the embedded packet? Also
does the tuple saves port information in this case as well as icmp
type and code? How does conntrack know that ICMP error message is
related to an existing connection?

Regards!

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: conntrack tuple
  2012-09-14 14:57 conntrack tuple Miguel Alejandro González
@ 2012-09-15 21:14 ` Pablo Neira Ayuso
  2012-09-16  0:08   ` Miguel Alejandro González
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2012-09-15 21:14 UTC (permalink / raw)
  To: Miguel Alejandro González; +Cc: netfilter-devel

Hi,

On Fri, Sep 14, 2012 at 09:57:36AM -0500, Miguel Alejandro González wrote:
> Hello
> 
> I have some questions about how conntrack tuple handles ICMP error messages...
> 
> When a ICMP error packet arrives containing an embedded UDP or TCP
> packet, assuming there was already a UDP or TCP connection being
> tracked by conntrack, what are the IP addresses of the tuple, the ones
> from the ICMP error message or the ones from the embedded packet?

It uses inner headers of the ICMP error message, ie. "the ones from
the embedded packet".

See net/ipv4/netfilter/nf_conntrack_proto_icmp.c

> Also does the tuple saves port information in this case as well as icmp
> type and code?

Conntrack does not save any ICMP error information.

> How does conntrack know that ICMP error message is related to an
> existing connection?

The conntrack code looks up for some existing entry by using the
information in the inner headers of the ICMP error message.

If no entry is found, the packet is considered invalid, and you can
drop it with iptables ... -m state --state INVALID
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: conntrack tuple
  2012-09-15 21:14 ` Pablo Neira Ayuso
@ 2012-09-16  0:08   ` Miguel Alejandro González
  0 siblings, 0 replies; 3+ messages in thread
From: Miguel Alejandro González @ 2012-09-16  0:08 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

So,

I have this code, I got it from the Writing netfilter code ebook:

      	  const struct nf_conn *ct;
          const struct nf_conntrack_tuple *t;
          enum ip_conntrack_info ctinfo;
          enum ip_conntrack_dir dir;
          ct = nf_ct_get(skb, &ctinfo);
          if (ct != NULL && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED))
                  return false;
          dir = CTINFO2DIR(ctinfo);
          t = &ct->tuplehash[dir].tuple;


Assuming there was already an established UDP or TCP connection that
passed by conntrack. And with what you told me, conntrack should get a
tuple with the inner headers upon receiving a Destination unreachable
error message with an inner packet. I'm testing this code and I get a
ICMP tuple with 771 as id, is this ok? I think I should be getting a
UDP or TCP tuple with the l4 headers from the inner packet...

I'm using kernel 2.6.38, I think you guys changed the tuple to have
type and code instead of id in later versions.... maybe I should use
the latest version...

In my module I have the function need_ipv4_conntrack() in the init
function, I think this is enough to load conntrack.

Regards!

On Sat, Sep 15, 2012 at 4:14 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi,
>
> On Fri, Sep 14, 2012 at 09:57:36AM -0500, Miguel Alejandro González wrote:
>> Hello
>>
>> I have some questions about how conntrack tuple handles ICMP error messages...
>>
>> When a ICMP error packet arrives containing an embedded UDP or TCP
>> packet, assuming there was already a UDP or TCP connection being
>> tracked by conntrack, what are the IP addresses of the tuple, the ones
>> from the ICMP error message or the ones from the embedded packet?
>
> It uses inner headers of the ICMP error message, ie. "the ones from
> the embedded packet".
>
> See net/ipv4/netfilter/nf_conntrack_proto_icmp.c
>
>> Also does the tuple saves port information in this case as well as icmp
>> type and code?
>
> Conntrack does not save any ICMP error information.
>
>> How does conntrack know that ICMP error message is related to an
>> existing connection?
>
> The conntrack code looks up for some existing entry by using the
> information in the inner headers of the ICMP error message.
>
> If no entry is found, the packet is considered invalid, and you can
> drop it with iptables ... -m state --state INVALID
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-09-16  0:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-14 14:57 conntrack tuple Miguel Alejandro González
2012-09-15 21:14 ` Pablo Neira Ayuso
2012-09-16  0:08   ` Miguel Alejandro González

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).